Russian Hackers Phish Signal and WhatsApp Accounts of Officials, U.S. Offers $10 M Bounty
What Happened — Russian‑linked groups UNC5792 and UNC4221 have been using sophisticated phishing campaigns against Signal and WhatsApp to steal users’ backup recovery keys and hijack accounts. The attacks have compromised thousands of accounts belonging to government officials, diplomats, journalists and other high‑value targets. The U.S. Department of State’s Rewards for Justice program is offering up to $10 million for information that leads to the identification of the actors.
Why It Matters for Compliance & Audit Readiness
- Phishing that harvests authentication material bypasses technical controls; SOC 2 access‑control policies must require strong user‑training and verification of device‑linking procedures.
- Continuous evidence of security‑awareness training and simulated phishing tests provides audit‑ready proof that the organization mitigates social‑engineering risk.
- Mapping this threat to the SOC 2 CC6.1 (Logical Access) and CC6.2 (User Management) controls demonstrates due diligence in protecting confidential communications.
Who Is Affected – Government agencies, diplomatic missions, defense and intelligence partners, investigative journalists, NGOs supporting Ukraine, and academic researchers (primarily GOV_PUBLIC and MEDIA_ENT sectors).
Recommended Actions
- Incorporate secure‑messaging device‑linking workflows into your security‑awareness curriculum and test them with regular phishing simulations.
- Enforce multi‑factor authentication and recovery‑key management policies for any corporate‑approved messaging apps.
- Document training completion and phishing‑test results as part of your SOC 2 evidence repository.
Source: Security Affairs
Technical Notes – Attack vector: social‑engineering/phishing; exploits legitimate device‑linking features in Signal and WhatsApp to capture backup recovery keys. No vulnerability (CVE) disclosed. Compromised data includes past conversation history, contact lists and the ability to launch further phishing from hijacked accounts. Source: same as above